De-identification of Data using Pseudonyms (Pseudonymisation) Policy

Transcription

1 De-identification of Data using Pseudonyms (Pseudonymisation) Policy Version: 2.0 Page 1 of 7

2 Partners in Care This is a controlled document. It should not be altered in any way without the express permission of the author or their representative. On receipt of a new version, please destroy all previous versions. Document Information Date of Issue: March 2014 Next Review Date: March 2016 Version: 2.0 Last Review Author: Performance and Information Manager Owner: Performance and Information Manager Directorate: Finance Approval Route Approved By: Date Approved: Management of Information Group 19/03/2014 Management of Information Group 16/03/2015 Links or overlaps with other strategies/policies: Data protection Staff Code of Confidentiality Information Asset Owner Policy Information Governance Policy NHS Number Policy Safe Haven Procedure Amendment History Issue Status Date Reason for Change Authorised V1.0 Final December 2012 Creation of document for new organisation Management of Information Group V2.0 Final March 2014 Annual Review of Document Management of Information Group V2.0 Active March 2015 Annual Review of Document Management of Information Group Contents 1 Introduction Definitions/Glossary Statement/Objective Roles & Responsibilities Business Planning and Performance Team Safe Haven Data Presentation Training and Awareness Monitoring, Auditing, Reviewing & Evaluation References Distribution... 7 Version: 2.0 Page 2 of 7

3 1 Introduction 1.1 Pseudonymisation and de-identification is concerned with enabling the NHS to undertake secondary use of personal identifiable data in a legal, safe and secure manner. The overall aim of this policy is to facilitate: The legal and secure use of personal identifiable data for secondary purposes by the NHS (and other organisations involved in the commissioning and provision of NHS-commissioned care) NHS business to no longer use identifiable data in its non-direct care related work wherever possible NHS business processes to continue to be effective in supporting the day-today operation of the NHS System-wide integration to enable relevant information to be shared between providers. 2 Definitions/Glossary 2.1 Personal Identifiable Data (PID) is any information that can identify one person. This could be one piece of data for example a person s name or a collection of information for example name, address and date of birth. 2.2 Primary Use is when information is used for direct care and medical purposes. This would directly contribute to the treatment, diagnosis or the care of the individual. This also includes relevant supporting administrative processes and audit/assurance of the quality of healthcare service provided. 2.3 Secondary Use is when information is not used for direct care and medical purposes. Generally this could be for research purposes, audits, service management, commissioning, contract monitoring and reporting facilities. When PID is used for secondary use this should be limited and de-identified so that the secondary uses process is confidential. 2.4 Pseudonymisation The technical process of replacing person identifiers in a dataset with other values (pseudonyms) from which the identities of individuals cannot be intrinsically inferred eg. the replacement of an NHS number with another random number. Pseudonymisation may be reversible or irreversible. 3 Statement/Objective 3.1 It is a legal requirement that when personal identifiable data is used for purposes not involving the direct care of an individual, i.e. Secondary Uses, the individual should not be identified unless other legal means hold, such as the person's consent or Section 251 approval. This is set out clearly in the NHS policy and good practice guidance document 'Confidentiality: the NHS Code of Practice', which states the need to 'effectively anonymise' data prior to the nondirect care usage being made of the data. Version: 2.0 Page 3 of 7

4 3.2 Data cannot be labelled as primary or secondary use data - it is the purpose of the disclosure and the usage of the data that is either primary or secondary. This means that even where it is justifiable to hold data in identifiable form, it becomes essential to ensure that only authorised users are able to have identifiable data disclosed to them. 3.3 The use of the NHS Number is Department of Health policy within Adult Social Care as well as in the NHS; its use is being supported by the NHS Number Programme. For services and organisations that operate across health and social care, the NHS Number is the key identifier of individuals and with greater access to NHS sourced data becoming available to social care organisations. The use of personal data in social care is governed by the same legal and policy frameworks that guide the use in the NHS and the Strategic Framework for De-identification covers social care as well as NHS. This means that secondary use of personal information within social care should operate against the principles and methods set out in this guidance. 3.4 Personal Identifiable Information will include: Name Initials Address Postcode Date of birth Date of death NHS Number Local system identifiers National Insurance Number. 3.5 The table below gives some examples of de-identification techniques that can be used. De-identification Type Data Display Derivations Blurring and/or banding Pseudonymisation one off Pseudonymisation repeated & consistent Quarantine data Example Output blanks instead of identifiable data Output derivation index instead of postcode Output age instead of date of birth; output 5 year age group instead of date of birth Use encryption or randomisation technique to generate unique random number to replace a NHS Number Use techniques in above row to provide same unique pseudonym for a NHS Number for multiple sets of data to enable links over time and data sets Use data items in a context different from one where they are regarded as identifiable; e.g. Local Patient Identifier is identifiable within a provider organisation but not within a commissioner organisation Version: 2.0 Page 4 of 7

5 4 Roles & Responsibilities 4.1 All databases that hold personal identifiable information should be recorded on the Information Asset Register held by the Information Governance Team. Information Asset Owners (IAO s) have the responsibility of ensuring that the data extracted from the asset s for which they are responsible are pseudonymised, or de-identified, when data is provided for secondary use. 4.2 The Caldicott Guardian takes the lead in patient/client confidentiality issues supported by the Head of Information Governance. 4.3 The Head of Information Governance is responsible for ensuring adherence to the Safe Haven Policy. Any issues with de-identification of data, or breaches of data security should be reported by IAO s to the Management of Information Group via the Information Governance Team. 4.4 Owners of Safe Haven s will be responsible for ensuring that only staff with a genuine business need have access to personal identifiable information. 4.5 The Business Planning and Performance Team have access to a variety of systems in order to produce reports and datasets for the organisation. Due to the diversity of the data from these systems all identifiable information should be kept in the Safe Haven, see section Each team must ensure that all data is handled in line with this policy. When ad hoc requests for information are received the team member dealing with the request must establish what the information will be used for in order to categorise the use as either primary or secondary. 5 Business Planning and Performance Team Safe Haven 5.1 The Safe Haven will exist to provide the means of restricting access to authorised users to personal identifiable data for the purposes of receiving and sending personal identifiable data that is expected to be used for secondary purposes and for supporting de-identification of the personal identifiable data. The Safe Haven diagram below details the steps to support the transition of information from primary source through a de-identification process to secondary use and, when necessary, re-identifying the data for use when primary data is required. Version: 2.0 Page 5 of 7

6 5.2 Safe haven Diagram Primary Use Data Source Transition Processes (restricted access) Secondary Use Primary Use of Secondary Use Sourced Data Data Activity Data Form Systems supporting direct care Patient Pesonal identifiable DQ Deriv- Linkage De-id ation Used for Collation Analysis & secondary & Storage reporting purposes Re-id SH Primary Use usage Safe Haven Pseudonymised Patient Personal identifiable Key Identifiable data Feedback Data flow De-identified or De-id = de-identification Re-id = re-identification pseudonymised facility facility 5.3 The Safe Haven comprises the facilities to restrict access by authorised users to personal identifiable data for the purpose of supporting de-identification, which in turn means that: The facilities can only be used by authorised staff sufficient to perform the functions and provide cover and back-up to ensure continuity of service Authorisation of the staff performing roles in the local Safe Haven should be through the Head of Information Governance and the equivalent of local Registration Authority processes for accessing Spine based applications The systems (or sub-systems) used for the data transition processes must have appropriate access control mechanisms to restrict access to authorised users for the specific purpose of supporting de-identification processes. 5.4 Locally this will mean that the safe haven will have three locations \\sdhtorct01\shared\nzbs\operations\performance the BP&P teams shared drive The Microsoft SQL Server Community database on server sdhis2 (SQL Server ) The Microsoft SQL Server sdhsccrdw (SQL Server ). 5.5 All of the above locations are restricted, access being controlled by Windows authentication log on. 5.6 Managers will ensure that access to the Safe Haven is kept in line with staff movement and any changes to a person s role will be reflected in a change of access to data repositories. Version: 2.0 Page 6 of 7

7 6 Data Presentation 6.1 When reports are produced from any database that contains personal identifiable information the way in which the data is presented should take into account the software being used. For example a report presented within Excel that uses a Pivot table may only display aggregated non-identifiable information. However, if the source data the pivot table links to contains identifiable information the end user of the report will be able to amend the data displayed and drill down to a level which is identifiable. Precautions should be taken to either amend the source data with a pseudonym, or preferably present the information using software that prevents this happening, such as a PDF document. 7 Training and Awareness 7.1 The annual Information Governance training that is delivered to all staff will reference the principles of Pseudonymisation. 7.2 Information Asset Owners should undertake Information Asset training where the Pseudonymisation principles will be disseminated. 7.3 The Information Governance Team will raise awareness of this policy. 7.4 Advice and support around this policy will be provided by the Information Governance Team and the Safe Haven Lead. 8 Monitoring, Auditing, Reviewing & Evaluation 8.1 Managers are responsible for ensuring their staff comply with this Policy. 8.2 The periodic review that the Information Asset Policy requires of Information Asset Owners should take into account the distribution of data from the asset and ensure that this policy is adhered to. 8.3 A review of this document will be conducted every two years or following a change to associated legislation or national / local terms and conditions of service. 8.4 Any possible breaches to this policy or data loss should be reported to Information Governance in line with the Incident Reporting Policy. 9 References 9.1 Further guidance and documentation is available on the DoH website: Confidentiality: NHS Code of Practice cyandguidance/dh_ Distribution 10.1 Staff will be advised of this policy and associated procedures / guidance through the Staff Bulletin. The Policy will be widely available to all staff and volunteers via their line manager, intranet and the website. Version: 2.0 Page 7 of 7